A round-up of healthcare data breaches that have recently been reported to the HHS’ Office for Civil Rights and State Attorneys General.
Delaware Department of Health and Social Services – Database Misconfiguration
The Delaware Department of Health and Social Services, Division of Developmental Disabilities Services (DDDS) has recently discovered a misconfiguration occurred when creating new user accounts for the division’s client database. As a result of the misconfiguration, access was granted to the records of 7,074 individuals.
The misconfiguration was discovered on August 23, 2022, with the investigation confirming 159 new user accounts had been created that provided access to service recipients’ personal, identifiable information and protected health information, as well as some more detailed information. 12 cases were identified where records were actively accessed by the users, but many more records may have been passively accessed. It was not possible to determine how many records were passively accessed. As such, the decision was taken to notify all 7,074 individuals, who have been offered complimentary credit monitoring services for 12 months.
Steps have since been taken to improve security to prevent similar misconfigurations in the future. The lessons learned from the incident will be applied to the new client data management system that is currently being developed and is due to be implemented in 2023.
Country Doctor Community Clinic, WA – Hacking Incident
Country Doctor Community Clinic in Seattle, WA, announced on October 19, 2022, that hackers had gained access to its digital environment and viewed and potentially obtained files containing the protected health information of 38,751 patients.
Unusual activity was detected in its computer systems on October 6, 2022. Immediate action was taken to secure its IT systems and prevent further unauthorized access, and third-party cybersecurity experts were engaged to investigate the incident and determine the nature and scope of the attack. A review was conducted to determine the types of information that had been compromised, then up-to-date contact information had to be obtained for affected individuals. That process concluded on October 14, 2022.
Country Doctor Community Clinic said names, addresses, Social Security numbers, dates of birth, and other protected health information were potentially compromised. Credit monitoring and identity theft protection services are being offered to individuals whose Social Security numbers were exposed. Steps have also been taken to improve security to prevent similar breaches in the future.
Riverside Medical Group, NJ – Hacking Incident
Riverside Medical Group, an adult medical practice serving patients in Northern New Jersey, has discovered hackers gained access to a legacy server at its clinic in West Orange and may have viewed or obtained files containing patient data. The compromised server belonged to a provider who used it to store immunization records. No other systems were affected.
Riverside Medical Group said the breach was detected on August 3, 2022. The review of files on the server determined they contained the protected health information of 12,499 patients, including name, date of birth, address, gender, phone number, email address, immunization records, dates of immunizations, provider information, health plan information, and in limited instances, Social Security number. Riverside Medical Group said it is unaware of any actual or attempted misuse of patient information.
The Valley Hospital, NJ – Improper Disposal of Documents Containing PHI
The Valley Hospital in Ridgewood, NJ, has recently announced that the records of individuals who visited an outpatient COVID-19 testing facility have been disposed of in an improper manner, and could potentially have been accessed or obtained by unauthorized individuals.
The improper disposal incident was detected by the Valley Hospital on August 29, 2022. In its substitute breach notice, the hospital said post-COVID-19 testing instructions were discarded in a recycling bin at the testing facility, rather than being sent for shredding. The documents included the names of the providers administering COVID-19 tests and labels that included patient names, medical record numbers, location codes, and service dates.
The hospital attempted to recover the documents but was unable to retrieve them. The breach affected patients who received COVID-19 tests at the site between June 1 and September 1, 2022. Notifications have now been sent to affected individuals. It is currently unclear how many patients have been affected.
The post Hacking, Database Misconfigurations, and Improper Disposal Incidents Reported appeared first on HIPAA Journal.